Replacing Zscaler: A 2026 Migration Guide from Cloud Proxy to Endpoint SWG
.jpg)
The short answer
Replacing Zscaler in 2026 is a side-by-side migration to an agent-based endpoint Secure Web Gateway. With dope.security, you deploy the agent through your MDM in monitor mode, mirror your Zscaler ZIA category, custom URL, DLP, and CAC policies into dope.console, validate on a pilot group, then enforce and remove the Zscaler client in waves. No downtime, no proxy stand-up, and no data center work.
Before you start: why teams are leaving Zscaler
Buyers we work with are almost always running from one or more of these:
- Latency. Every request rides through a Zscaler PoP. Users in remote geographies and users hitting nearby SaaS apps feel it.
- Console sprawl. ZIA, ZPA, ZDX, posture, and acquired modules each have their own console.
- Renewal pressure. Per-feature pricing scales painfully with a fully remote workforce.
- AI governance gap. Knowledge workers are pasting source code, customer data, and IP into ChatGPT and Claude. The native ZIA policy is not enough.
- Restricted geographies. China, parts of APAC, certain LATAM routes. Backhaul-dependent architectures struggle.
If two or more of these are on your list, a migration is overdue.
What you are migrating to
dope.security is an agent-based Secure Web Gateway. The agent inspects traffic on the device, decrypts TLS locally, applies SWG policy, runs Dopamine DLP on uploads and AI prompts, and enforces Cloud Application Control on SaaS tenants. There is no proxy data center. Traffic goes Fly Direct.
The platform includes SWG, CASB Neural, Dopamine DLP, and Cloud Application Control in a single console. ZIA, ZIA's DLP add-on, and ZIA's CASB add-on are all replaced by one agent and one license.
The migration playbook
This is the same shape we have used on Cisco Umbrella migrations at 2,000 machines in two days, on the Fortune 100 deployment that hit 18,000+ devices, and on Greylock Partners' move off Cisco Umbrella in 27 days. The Zscaler version is a small variation.
| Phase | Action with dope.security | Zscaler state |
|---|---|---|
| Week 1, plan | Export ZIA policy: URL categories, custom URLs, DLP rules, CAC equivalents | No change |
| Week 1, pilot deploy | MDM push agent to 50-100 pilot devices in monitor mode | Continues to enforce |
| Week 2, policy parity | Mirror ZIA policy into dope.console; validate log streams side by side | Continues to enforce |
| Week 2, enforce pilot | Switch pilot to enforce, remove Zscaler client from pilot devices | Bypassed on pilot devices only |
| Weeks 3-5, waves | Roll the rest of the fleet in waves through MDM | Decommissioned per wave |
| Week 6, decommission | Validate 100% coverage in dope.console | Cancel ZIA add-ons (DLP, CASB, posture); terminate ZIA at renewal |
Policy parity in detail
The mapping between ZIA and dope.security is direct.
- ZIA URL categories map to dope.security URL categories. Custom lists import.
- ZIA SSL inspection maps to on-device SSL inspection in dope.security. The cert pin model is the same; bypass lists carry over.
- ZIA DLP maps to Dopamine DLP. Upload and AI-prompt inspection live in the same engine.
- ZIA CASB maps to CASB Neural. Posture coverage for OneDrive and Google Drive lives here.
- Tenant restriction (block personal SaaS, allow corporate) maps to Cloud Application Control.
There is no ZIA primitive that does not have a dope.security counterpart. The few that read differently come down to console layout, not capability.
What to watch during the cutover
Three risks worth flagging up front.
TLS-inspection sensitivity. A small number of destinations (sometimes financial sites, certain banking apps, certain certificate-pinned mobile apps) need to be on a bypass list. dope.security supports the same bypass approach Zscaler does. We help build the initial list from the ZIA bypass export.
ZPA dependencies. If your team uses ZPA for remote access to internal apps, leave it in place during the SWG cutover. dope.security and ZPA do not conflict. VPN replacement is on the dope.security roadmap.
Forwarding configurations. If you forward traffic to Zscaler through PAC files, GRE/IPsec tunnels, or browser settings, remove those at the device level as part of decommissioning. dope.security does not need any of them.
Frequently asked questions
How long does a Zscaler replacement actually take? Typical cutovers run four to six weeks for mid-market fleets. Smaller fleets finish in two. Large fleets roll in waves and complete within a quarter.
Do I lose any visibility during the move? No. dope.security in monitor mode gives you parallel logs against Zscaler. Once enforce is on, dope.console shows you full URL, DLP, and CASB events.
Can I keep ZPA and replace only ZIA? Yes. Many teams do exactly this. dope.security handles the web, DLP, CASB, and AI governance layer while ZPA remains for internal app access.
Will my Zscaler renewal save more than the dope.security spend? For most mid-market and enterprise customers, yes, especially once ZIA add-ons (DLP, CASB, ZDX) are priced in. The single-platform model removes per-feature line items.
Does dope.security work in China? Yes. Agent-based, on-device inspection is not dependent on a backhauled PoP, so users in China and other restricted geographies get consistent enforcement without the routing problems that affect cloud proxy SSEs.
Get a scoped migration plan
Bring your ZIA policy export and a device count. We will build a side-by-side migration plan on the first call. Start at dope.security.
.jpg)
.jpg)
.jpg)
